Merge branch 'openresty:master' into master

.travis.yml

@@ -113,14 +113,17 @@ env:
     - OPENSSL_INC=$OPENSSL_PREFIX/include
     - OPENRESTY_PREFIX=/opt/openresty
   jobs:
-    - OPENSSL_VER=1.1.1w OPENSSL_PATCH_VER=1.1.1f ENABLE_HTTP3_OPTION=--with-http_v3_module
+    - OPENSSL_VER=1.1.0l OPENSSL_PATCH_VER=1.1.0d
+    - OPENSSL_VER=1.1.1s OPENSSL_PATCH_VER=1.1.1f ENABLE_HTTP3_OPTION=--with-http_v3_module
 
 jobs:
     include:
         - <<: *linux-s390x
-          env: OPENSSL_VER=1.1.1w OPENSSL_PATCH_VER=1.1.1f ENABLE_HTTP3_OPTION=--with-http_v3_module
+          env: OPENSSL_VER=1.1.0l OPENSSL_PATCH_VER=1.1.0d
+        - <<: *linux-s390x
+          env: OPENSSL_VER=1.1.1l OPENSSL_PATCH_VER=1.1.1f ENABLE_HTTP3_OPTION=--with-http_v3_module
         - <<: *linux-ppc64le
-          env: OPENSSL_VER=1.1.1w OPENSSL_PATCH_VER=1.1.1f ENABLE_HTTP3_OPTION=--with-http_v3_module
+          env: OPENSSL_VER=1.1.1s OPENSSL_PATCH_VER=1.1.1f ENABLE_HTTP3_OPTION=--with-http_v3_module
 
 install:
   - cpanm --sudo --notest Test::Nginx IPC::Run3 > build.log 2>&1 || (cat build.log && exit 1)

Dockerfile

@@ -0,0 +1,45 @@
+#By GarfieldWTF
+# Use an official Alpine Linux as the parent image
+FROM alpine:latest
+
+# Set environment variables for OpenResty and NGINX versions
+ENV OPENRESTY_VERSION 1.21.4.2
+ENV NGINX_VERSION 1.25.3
+
+# Install required packages and build dependencies
+RUN apk update && apk upgrade && apk add --no-cache \
+    build-base \
+    pcre-dev \
+    openssl-dev \
+    zlib-dev \
+    wget \
+    perl-dev \
+    libxslt-dev \
+    gd-dev \
+    geoip-dev
+
+# Download and extract the source code for OpenResty and NGINX
+RUN wget https://openresty.org/download/openresty-$OPENRESTY_VERSION.tar.gz -O openresty.tar.gz \
+    && wget https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz -O nginx.tar.gz \
+    && tar -xzvf openresty.tar.gz \
+    && tar -xzvf nginx.tar.gz
+
+# Build OpenResty and NGINX with OpenResty modules
+RUN cd openresty-$OPENRESTY_VERSION \
+    && ./configure --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-threads --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-cc-opt="-O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2" --with-ld-opt="-Wl,-z,relro -Wl,--as-needed" --prefix=/usr/local/openresty \
+    && make \
+    && make install
+
+# Cleanup
+RUN rm -rf openresty-$OPENRESTY_VERSION nginx-$NGINX_VERSION \
+    && rm openresty.tar.gz nginx.tar.gz
+
+# Add OpenResty to the system PATH
+ENV PATH="/usr/local/openresty/bin:${PATH}"
+
+# Expose ports if needed
+EXPOSE 80
+EXPOSE 443
+
+# Optional: Set a default CMD to start OpenResty when the container runs
+CMD ["nginx", "-g", "daemon off;"]

patches/nginx-CVE-2024-24989.patch

@@ -1,36 +0,0 @@
-commit 5902baf680609f884a1e11ff2b82a0bffb3724cc
-Author: Sergey Kandaurov <pluknet@nginx.com>
-Date:   Wed Feb 14 15:55:34 2024 +0400
-
-    QUIC: trial packet decryption in response to invalid key update.
-    
-    Inspired by RFC 9001, Section 6.3, trial packet decryption with the current
-    keys is now used to avoid a timing side-channel signal.  Further, this fixes
-    segfault while accessing missing next keys (ticket #2585).
-
-diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c
-index 88e6954cf..8223626b6 100644
---- a/src/event/quic/ngx_event_quic_protection.c
-+++ b/src/event/quic/ngx_event_quic_protection.c
-@@ -1144,8 +1144,19 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn)
-         key_phase = (pkt->flags & NGX_QUIC_PKT_KPHASE) != 0;
- 
-         if (key_phase != pkt->key_phase) {
--            secret = &pkt->keys->next_key.client;
--            pkt->key_update = 1;
-+            if (pkt->keys->next_key.client.ctx != NULL) {
-+                secret = &pkt->keys->next_key.client;
-+                pkt->key_update = 1;
-+
-+            } else {
-+                /*
-+                 * RFC 9001,  6.3. Timing of Receive Key Generation.
-+                 *
-+                 * Trial decryption to avoid timing side-channel.
-+                 */
-+                ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
-+                               "quic next key missing");
-+            }
-         }
-     }
- 

patches/nginx-CVE-2024-24990.patch

@@ -1,27 +0,0 @@
-commit 5818f8a6693b3c0d95021f2ee58b69dcf848911c
-Author: Roman Arutyunyan <arut@nginx.com>
-Date:   Wed Feb 14 15:55:37 2024 +0400
-
-    QUIC: fixed stream cleanup (ticket #2586).
-    
-    Stream connection cleanup handler ngx_quic_stream_cleanup_handler() calls
-    ngx_quic_shutdown_stream() after which it resets the pointer from quic stream
-    to the connection (sc->connection = NULL).  Previously if this call failed,
-    sc->connection retained the old value, while the connection was freed by the
-    application code.  This resulted later in a second attempt to close the freed
-    connection, which lead to allocator double free error.
-    
-    The fix is to reset the sc->connection pointer in case of error.
-
-diff --git a/src/event/quic/ngx_event_quic_streams.c b/src/event/quic/ngx_event_quic_streams.c
-index df04d0f07..178b805e4 100644
---- a/src/event/quic/ngx_event_quic_streams.c
-+++ b/src/event/quic/ngx_event_quic_streams.c
-@@ -1097,6 +1097,7 @@ ngx_quic_stream_cleanup_handler(void *data)
-                    "quic stream id:0x%xL cleanup", qs->id);
- 
-     if (ngx_quic_shutdown_stream(c, NGX_RDWR_SHUTDOWN) != NGX_OK) {
-+        qs->connection = NULL;
-         goto failed;
-     }
- 

util/configure

@@ -554,6 +554,9 @@ _END_
             "\n";
     }
 
+    # disable pcre2 by default
+    push @ngx_opts, '--without-pcre2';
+
     if (!$opts->{no_stream}
         && ! $opts->{no_stream_ssl}
         && ! $opts->{stream_ssl})
@@ -776,8 +779,8 @@ _END_
         }
 
         if ($on_solaris) {
-            $extra_opts .= " INSTALL_X='\$(INSTALL) -m 0755' " .
-                    "INSTALL_F='\$(INSTALL) -m 0644'";
+            $extra_opts .= " INSTALL_X='$root_dir/build/install -m 0755' " .
+                    "INSTALL_F='$root_dir/build/install -m 0644'";
         }
 
         if (defined $cc) {
@@ -950,7 +953,7 @@ _EOC_
             }
 
             if ($on_solaris) {
-                #$extra_opts .= " INSTALL='\$(INSTALL)'";
+                #$extra_opts .= " INSTALL=$root_dir/build/install";
                 if ($opts->{debug}) {
                     $extra_opts .=
                         " CJSON_CFLAGS=\"-g -O -fpic -DUSE_INTERNAL_ISINF\"";
@@ -994,7 +997,7 @@ _EOC_
                 "LUA_LIB_DIR=$lualib_prefix";
 
             if ($on_solaris) {
-                $extra_opts .= " INSTALL='\$(INSTALL)'";
+                $extra_opts .= " INSTALL=$root_dir/build/install";
             }
 
             if ($opts->{debug}) {
@@ -1047,7 +1050,7 @@ _EOC_
             }
 
             if ($on_solaris) {
-                $extra_opts .= " INSTALL='\$(INSTALL)'";
+                $extra_opts .= " INSTALL=$root_dir/build/install";
                 if ($opts->{debug}) {
                     $extra_opts .= " CFLAGS=\"-g -O -Wall\"";
                 }
@@ -1098,7 +1101,7 @@ _EOC_
             }
 
             if ($on_solaris) {
-                $extra_opts .= " INSTALL='\$(INSTALL)'";
+                $extra_opts .= " INSTALL=$root_dir/build/install";
                 if ($opts->{debug}) {
                     $extra_opts .= " CFLAGS=\"-g -O -Wall\"";
 
@@ -1146,10 +1149,8 @@ _EOC_
         } else {
             $target_dir = "\$(DESTDIR)$prefix/bin/";
         }
-        push @make_install_cmds,
-            "mkdir '$target_dir'",
-            "cd $root_dir/build/$opm_dir && "
-                . "\$(INSTALL) bin/* '$target_dir'";
+        push @make_install_cmds, "cd $root_dir/build/$opm_dir && "
+             . "$root_dir/build/install bin/* $target_dir";
     }
 
     # configure resty-cli:
@@ -1163,7 +1164,7 @@ _EOC_
             $target_dir = "\$(DESTDIR)$prefix/bin/";
         }
         push @make_install_cmds, "cd $root_dir/build/$resty_cli_dir && "
-             . "\$(INSTALL) bin/* $target_dir";
+             . "$root_dir/build/install bin/* $target_dir";
 
         if ($platform ne 'msys') {
             # patch the resty script:
@@ -1246,7 +1247,7 @@ sub add_lua_lib ($$$) {
 
         my $extra_opts =
         " DESTDIR=\$(DESTDIR) LUA_LIB_DIR=$lualib_prefix"
-        ." INSTALL='\$(INSTALL)'";
+        ." INSTALL=$root_dir/build/install";
 
         push @make_install_cmds, "cd $root_dir/build/$dir && " .
         "\$(MAKE) install$extra_opts";
@@ -1559,12 +1560,7 @@ sub gen_makefile {
         print $out "DESTDIR ?= $root_dir/\n\n";
     }
 
-    print $out <<_EOC_;
-INSTALL := $root_dir/build/install
-
-.PHONY: all install clean
-
-_EOC_
+    print $out ".PHONY: all install clean\n\n";
 
     print $out "all:\n\t" . join("\n\t", @make_cmds) . "\n\n";
 

util/mirror-tarballs

@@ -513,18 +513,6 @@ if [ "$answer" = "Y" ]; then
     fi
 fi
 
-answer=`$root/util/ver-ge "$main_ver" 1.25.3`
-if [ "$answer" = "Y" ]; then
-    answer=`$root/util/ver-ge "$main_ver" 1.25.4`
-    if [ "$answer" = "N" ]; then
-        echo "$info_txt applying the patch for nginx security advisory (CVE-2024-24989)"
-        patch -p1 < $root/patches/nginx-CVE-2024-24989.patch || exit 1
-        echo "$info_txt applying the patch for nginx security advisory (CVE-2024-24990)"
-        patch -p1 < $root/patches/nginx-CVE-2024-24990.patch || exit 1
-    fi
-fi
-
-
 echo "$info_txt applying the upstream_timeout_fields patch for nginx"
 patch -p1 < $root/patches/nginx-$main_ver-upstream_timeout_fields.patch || exit 1
 echo